Data encryption - Amazon Transcribe
Encryption at restEncryption in transitKey managementAmazon KMS encryption context
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Data encryption

Data encryption refers to protecting data while in transit and at rest. You can protect your data by using Amazon S3-managed keys or KMS keys at rest, alongside standard Transport Layer Security (TLS) while in transit.

Encryption at rest

Amazon Transcribe uses the default Amazon S3 key (SSE-S3) for server-side encryption of transcripts placed in your Amazon S3 bucket.

When you use the StartTranscriptionJob operation, you can specify your own KMS key to encrypt the output from a transcription job.

Amazon Transcribe uses an Amazon EBS volume encrypted with the default key.

Encryption in transit

Amazon Transcribe uses TLS 1.2 with Amazon certificates to encrypt data in transit. This includes streaming transcriptions.

Key management

Amazon Transcribe works with KMS keys to provide enhanced encryption for your data. With Amazon S3, you can encrypt your input media when creating a transcription job. Integration with Amazon KMS allows encryption of the output from a StartTranscriptionJob request.

If you don't specify a KMS key, the output of the transcription job is encrypted with the default Amazon S3 key (SSE-S3).

For more information on Amazon KMS, see the Amazon Key Management Service Developer Guide.

To encrypt the output of your transcription job, you can choose between using a KMS key for the Amazon Web Services account that is making the request, or a KMS key from another Amazon Web Services account.

If you don't specify a KMS key, the output of the transcription job is encrypted with the default Amazon S3 key (SSE-S3).

To enable output encryption:

  1. Under Output data choose Encryption.

    Screenshot of enabled encryption toggle and KMS key ID dropdown menu.

  2. Choose whether the KMS key is from the Amazon Web Services account you're currently using or from a different Amazon Web Services account. If you want to use a key from the current Amazon Web Services account, choose the key from KMS key ID. If you're using a key from a different Amazon Web Services account, you must enter the key's ARN. To use a key from a different Amazon Web Services account, the caller must have kms:Encrypt permissions for the KMS key. Refer to Creating a key policy for more information.

To use output encryption with the API, you must specify your KMS key using the OutputEncryptionKMSKeyId parameter of the StartCallAnalyticsJob, StartMedicalTranscriptionJob, or StartTranscriptionJob operation.

If using a key located in the current Amazon Web Services account, you can specify your KMS key in one of four ways:

  1. Use the KMS key ID itself. For example, 1234abcd-12ab-34cd-56ef-1234567890ab.

  2. Use an alias for the KMS key ID. For example, alias/ExampleAlias.

  3. Use the Amazon Resource Name (ARN) for the KMS key ID. For example, arn:aws:kms:region:account-ID:key/1234abcd-12ab-34cd-56ef-1234567890ab.

  4. Use the ARN for the KMS key alias. For example, arn:aws:kms:region:account-ID:alias/ExampleAlias.

If using a key located in a different Amazon Web Services account than the current Amazon Web Services account, you can specify your KMS key in one of two ways:

  1. Use the ARN for the KMS key ID. For example, arn:aws:kms:region:account-ID:key/1234abcd-12ab-34cd-56ef-1234567890ab.

  2. Use the ARN for the KMS key alias. For example, arn:aws:kms:region:account-ID:alias/ExampleAlias.

Note that the entity making the request must have permission to use the specified KMS key.

Amazon KMS encryption context

Amazon KMS encryption context is a map of plain text, non-secret key:value pairs. This map represents additional authenticated data, known as encryption context pairs, which provide an added layer of security for your data. Amazon Transcribe requires a symmetric encryption key to encrypt transcription output into a customer-specified Amazon S3 bucket. To learn more, see Asymmetric keys in Amazon KMS.

When creating your encryption context pairs, do not include sensitive information. Encryption context is not secret—it's visible in plain text within your CloudTrail logs (so you can use it to identify and categorize your cryptographic operations).

Your encryption context pair can include special characters, such as underscores (_), dashes (-), slashes (/, \) and colons (:).

Tip

It can be useful to relate the values in your encryption context pair to the data being encrypted. Although not required, we recommend you use non-sensitive metadata related to your encrypted content, such as file names, header values, or unencrypted database fields.

To use output encryption with the API, set the KMSEncryptionContext parameter in the StartTranscriptionJob operation. In order to provide encryption context for the output encryption operation, the OutputEncryptionKMSKeyId parameter must reference a symmetric KMS key ID.

You can use Amazon KMS condition keys with IAM policies to control access to a symmetric encryption KMS key based on the encryption context that was used in the request for a cryptographic operation. For an example encryption context policy, see Amazon KMS encryption context policy.

Using encryption context is optional, but recommended. For more information, see Encryption context.